RUDDER 4.3 – Focus on the ‘API rights’ feature

Since RUDDER 2.7 (Almost 5 years ago!), we provide an API that gives you access to almost all data and features from RUDDER so you can build your own scripts and integration and make RUDDER more integrated in your IT environment (more details about the API here: https://www.rudder-project.org/rudder-api-doc/), there was one flaw in our design: all API accounts had full access to the API so anyone with a token can do anything. With RUDDER 4.3, this time is over. We defined an authorization system for API accounts that allows to control which part of the endpoints the account can access. We also added a TTL to accounts, so a token won’t have access forever to RUDDER API anymore.

Directly in your RUDDER 4.3

There are currently four levels of authorization defined in RUDDER:

No Access: Almost like a disabled state, no endpoints can be reached.

Read-only: You can only fetch data from RUDDER (access to all GET endpoints) and no modifications endpoint.

Full: Like before, access to full API, (existing accounts will have that level).

Custom ACLs: Choose between all API endpoints which one are available.

To keep it simple, only the 3 first levels can be used in RUDDER, Custom ACLs are enabled with a new plugin, the rudder-api-authorisation plugin. I’ll get back to this later with more details about the plugin possibilities.

API account table, with new data, and a little UI update!

Expiration date (TTL of an account) can either be undefined (will never expire), or a specific date. If an account is used after expiration date, il will be forbidden access to all endpoints, like an account with “No access”.

Expiration date and access level can be defined for every account in a dedicated popup:

rudder-api-authorizations plugin

The rudder-api-authorizations plugin gives you access to two features:

Custom ACLs

User tokens

Customs ACLs allow you to define precise rights for any API accounts, so you can restrict an API account to have access to Nodes API only, or whatever you want!

The plugin allows you to have a token for every user of RUDDER, the token will have access to all API corresponding to the user’s authorisation (i.e. a read only user will only have access to read only API, a “node” user will have access to Node API…).

You can generate your API token by clicking on the user menu in the top right corner.

What’s next?

RUDDER 4.3 brings the last consolidations on the features that version 4.0 brought. Feedbacks received allowed us to enrich and perfect them over 3 versions while working on the big novelties to appear soon in RUDDER 5.

Indeed, the next version is going to be a major release, which will bring many changes both inside and outside Rudder, including :